Persistent disagreements between the United States and the European Union over the treatment of personal data threaten to undermine international standards. EURACTIV France reports.

Consumer protection or fundamental rights? The issue of how to protect citizens’ personal data is acting as a wedge, driving the European Union and the United States apart.

The approaches towards data protection adopted by the world’s two largest economies, currently in the midst of free trade negotiations (TTIP), could not be more different.

Fundamental rights

In Europe, the protection of personal data is a fundamental right. This status is protected by several texts, including the EU Charter of Fundamental Rights, whose article 8 states that “Everyone has the right to the protection of personal data concerning him or her.”

On the other side of the Atlantic, data protection is viewed through the prism of consumer protection.

At a debate organised by the Mines-Télécom Institute on Friday (8 January), the President of the French Data Protection Authority (CNIL) Isabelle Falque-Pierrotin, said, “Data protection is very much influenced by the cultural sensibilities of each country, and differences exist between the United States and the EU. We view personal data as a fundamental right, while the Americans are more interested in consumer protection.”

These are important differences. “Today, data protection can no longer be a national, or even European preoccupation, because we consume lots of foreign data from non-European, and specifically American companies,” Falque-Pierrotin added.

American companies like Facebook, Google and Apple transfer European data to the United States for processing and storage.

“Data protection has become a critical issue on which we cannot fail,” said Claude Moraes, a British Labour Party MEP and president of the European Parliament’s Civil Liberties, Justice and Home Affairs committee (LIBE). “And our data protection standards are higher than those of the United States, who try to get around our rules,” he added.

The protection of personal data in Europe, still covered by a directive dating from 1995, was reinforced by new legislation adopted in December 2015. These new rules, whose adoption follows four years of fierce debate between the different institutions, include a provision to fine companies up to 4% of their turnover for infringements.

Besides the strengthened legal framework, EU-US relations on the subject are anything but harmonious. In October last year, the European Court of Justice rejected the Safe Harbour agreement, which allowed American companies to process EU data according to US standards.

The European court found that the American law did not guarantee an appropriate level of protection for European citizens. A decision which has opened the door to new negotiations between the EU and the United States, which may see both sides entrench yet more firmly in their battle lines.

Long battle on the horizon

“The European Union has chosen to make data protection a fundamental right, which means that European data must still be protected, even if it is exported,” the president of CNIL said.

A group of representatives from the various European data protection authorities, known as the Article 29 Working Party, has called for the implementation of an international agreement on data protection, to ensure that high standards are upheld.

“It is very clear since the European Commission’s invalidation of Safe Harbour that we do not need a new commercial agreement, but a broader agreement that covers access to personal data by spy services,” the president of the French authority said.

This is a long-term objective, as the negotiation of Safe Harbour 2 is currently the priority of the European authorities.

“Safe Harbour is not an international agreement. Placing data protection in an international legislative framework is a long-term objective,” said Paul Nemitz, the director for Fundamental rights and Union citizenship at the European Commission’s DG Justice.

Background

In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.

The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).

Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.

Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.

European politicians reacted angrily to the news and called for stricter measures to ensure privacy.